|  | TLS 1.3 support | 
|  | =============== | 
|  |  | 
|  | Overview | 
|  | -------- | 
|  |  | 
|  | Mbed TLS provides an implementation of the TLS 1.3 protocol. The TLS 1.3 support | 
|  | may be enabled using the MBEDTLS_SSL_PROTO_TLS1_3 configuration option. | 
|  |  | 
|  | Support description | 
|  | ------------------- | 
|  |  | 
|  | - Overview | 
|  |  | 
|  | - Mbed TLS implements both the client and the server side of the TLS 1.3 | 
|  | protocol. | 
|  |  | 
|  | - Mbed TLS supports ECDHE key establishment. | 
|  |  | 
|  | - Mbed TLS supports DHE key establishment. | 
|  |  | 
|  | - Mbed TLS supports pre-shared keys for key establishment, pre-shared keys | 
|  | provisioned externally as well as provisioned via the ticket mechanism. | 
|  |  | 
|  | - Mbed TLS supports session resumption via the ticket mechanism. | 
|  |  | 
|  | - Mbed TLS supports sending and receiving early data (0-RTT data). | 
|  |  | 
|  | - Supported cipher suites: depends on the library configuration. Potentially | 
|  | all of them: | 
|  | TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, | 
|  | TLS_AES_128_CCM_SHA256 and TLS_AES_128_CCM_8_SHA256. | 
|  |  | 
|  | - Supported ClientHello extensions: | 
|  |  | 
|  | | Extension                    | Support | | 
|  | | ---------------------------- | ------- | | 
|  | | server_name                  | YES     | | 
|  | | max_fragment_length          | no      | | 
|  | | status_request               | no      | | 
|  | | supported_groups             | YES     | | 
|  | | signature_algorithms         | YES     | | 
|  | | use_srtp                     | no      | | 
|  | | heartbeat                    | no      | | 
|  | | alpn                         | YES     | | 
|  | | signed_certificate_timestamp | no      | | 
|  | | client_certificate_type      | no      | | 
|  | | server_certificate_type      | no      | | 
|  | | padding                      | no      | | 
|  | | key_share                    | YES     | | 
|  | | pre_shared_key               | YES     | | 
|  | | psk_key_exchange_modes       | YES     | | 
|  | | early_data                   | YES     | | 
|  | | cookie                       | no      | | 
|  | | supported_versions           | YES     | | 
|  | | certificate_authorities      | no      | | 
|  | | post_handshake_auth          | no      | | 
|  | | signature_algorithms_cert    | no      | | 
|  |  | 
|  |  | 
|  | - Supported groups: depends on the library configuration. | 
|  | Potentially all ECDHE groups: | 
|  | secp256r1, x25519, secp384r1, x448 and secp521r1. | 
|  |  | 
|  | Potentially all DHE groups: | 
|  | ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144 and ffdhe8192. | 
|  |  | 
|  | - Supported signature algorithms (both for certificates and CertificateVerify): | 
|  | depends on the library configuration. | 
|  | Potentially: | 
|  | ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, | 
|  | rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, rsa_pss_rsae_sha256, | 
|  | rsa_pss_rsae_sha384 and rsa_pss_rsae_sha512. | 
|  |  | 
|  | Note that in absence of an application profile standard specifying otherwise | 
|  | rsa_pkcs1_sha256, rsa_pss_rsae_sha256 and ecdsa_secp256r1_sha256 are | 
|  | mandatory (see section 9.1 of the specification). | 
|  |  | 
|  | - Supported versions: | 
|  |  | 
|  | - TLS 1.2 and TLS 1.3 with version negotiation on client and server side. | 
|  |  | 
|  | - TLS 1.2 and TLS 1.3 can be enabled in the build independently of each | 
|  | other. | 
|  |  | 
|  | - Compatibility with existing SSL/TLS build options: | 
|  |  | 
|  | The TLS 1.3 implementation is compatible with nearly all TLS 1.2 | 
|  | configuration options in the sense that when enabling TLS 1.3 in the library | 
|  | there is rarely any need to modify the configuration from that used for | 
|  | TLS 1.2. There are two exceptions though: the TLS 1.3 implementation requires | 
|  | MBEDTLS_PSA_CRYPTO_C and MBEDTLS_SSL_KEEP_PEER_CERTIFICATE, so these options | 
|  | must be enabled. | 
|  |  | 
|  | Most of the Mbed TLS SSL/TLS related options are not supported or not | 
|  | applicable to the TLS 1.3 implementation: | 
|  |  | 
|  | | Mbed TLS configuration option            | Support | | 
|  | | ---------------------------------------- | ------- | | 
|  | | MBEDTLS_SSL_ALL_ALERT_MESSAGES           | yes     | | 
|  | | MBEDTLS_SSL_ASYNC_PRIVATE                | no      | | 
|  | | MBEDTLS_SSL_CONTEXT_SERIALIZATION        | no      | | 
|  | | MBEDTLS_SSL_DEBUG_ALL                    | no      | | 
|  | | MBEDTLS_SSL_ENCRYPT_THEN_MAC             | n/a     | | 
|  | | MBEDTLS_SSL_EXTENDED_MASTER_SECRET       | n/a     | | 
|  | | MBEDTLS_SSL_KEEP_PEER_CERTIFICATE        | no (1)  | | 
|  | | MBEDTLS_SSL_RENEGOTIATION                | n/a     | | 
|  | | MBEDTLS_SSL_MAX_FRAGMENT_LENGTH          | no      | | 
|  | |                                          |         | | 
|  | | MBEDTLS_SSL_SESSION_TICKETS              | yes     | | 
|  | | MBEDTLS_SSL_SERVER_NAME_INDICATION       | yes     | | 
|  | | MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH       | no      | | 
|  | |                                          |         | | 
|  | | MBEDTLS_ECP_RESTARTABLE                  | no      | | 
|  | | MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED     | no      | | 
|  | |                                          |         | | 
|  | | MBEDTLS_KEY_EXCHANGE_PSK_ENABLED         | n/a (2) | | 
|  | | MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED     | n/a     | | 
|  | | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED   | n/a     | | 
|  | | MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED     | n/a     | | 
|  | | MBEDTLS_KEY_EXCHANGE_RSA_ENABLED         | n/a     | | 
|  | | MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED     | n/a     | | 
|  | | MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED   | n/a     | | 
|  | | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED | n/a     | | 
|  | | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED  | n/a     | | 
|  | | MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED    | n/a     | | 
|  | | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED     | n/a     | | 
|  | |                                          |         | | 
|  | | MBEDTLS_PSA_CRYPTO_C                     | no (1)  | | 
|  | | MBEDTLS_USE_PSA_CRYPTO                   | yes     | | 
|  |  | 
|  | (1) These options must remain in their default state of enabled. | 
|  | (2) See the TLS 1.3 specific build options section below. | 
|  |  | 
|  | - TLS 1.3 specific build options: | 
|  |  | 
|  | - MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE enables the support for middlebox | 
|  | compatibility mode as defined in section D.4 of RFC 8446. | 
|  |  | 
|  | - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED enables the support for | 
|  | the PSK key exchange mode as defined by RFC 8446. If it is the only key | 
|  | exchange mode enabled, the TLS 1.3 implementation does not contain any code | 
|  | related to key exchange protocols, certificates and signatures. | 
|  |  | 
|  | - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED enables the | 
|  | support for the ephemeral key exchange mode. If it is the only key exchange | 
|  | mode enabled, the TLS 1.3 implementation does not contain any code related | 
|  | to PSK based key exchange. The ephemeral key exchange mode requires at least | 
|  | one of the key exchange protocol allowed by the TLS 1.3 specification, the | 
|  | parsing and validation of x509 certificates and at least one signature | 
|  | algorithm allowed by the TLS 1.3 specification for signature computing and | 
|  | verification. | 
|  |  | 
|  | - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED enables the | 
|  | support for the PSK ephemeral key exchange mode. If it is the only key | 
|  | exchange mode enabled, the TLS 1.3 implementation does not contain any code | 
|  | related to certificates and signatures. The PSK ephemeral key exchange | 
|  | mode requires at least one of the key exchange protocol allowed by the | 
|  | TLS 1.3 specification. | 
|  |  | 
|  |  | 
|  | Coding rules checklist for TLS 1.3 | 
|  | ---------------------------------- | 
|  |  | 
|  | The following coding rules are aimed to be a checklist for TLS 1.3 upstreaming | 
|  | work to reduce review rounds and the number of comments in each round. They | 
|  | come along (do NOT replace) the project coding rules | 
|  | (https://mbed-tls.readthedocs.io/en/latest/kb/development/mbedtls-coding-standards). They have been | 
|  | established and discussed following the review of #4882 that was the | 
|  | PR upstreaming the first part of TLS 1.3 ClientHello writing code. | 
|  |  | 
|  | TLS 1.3 specific coding rules: | 
|  |  | 
|  | - TLS 1.3 specific C modules, headers, static functions names are prefixed | 
|  | with `ssl_tls13_`. The same applies to structures and types that are | 
|  | internal to C modules. | 
|  |  | 
|  | - TLS 1.3 specific exported functions, structures and types are | 
|  | prefixed with `mbedtls_ssl_tls13_`. | 
|  |  | 
|  | - Use TLS1_3 in TLS 1.3 specific macros. | 
|  |  | 
|  | - The names of macros and variables related to a field or structure in the | 
|  | TLS 1.3 specification should contain as far as possible the field name as | 
|  | it is in the specification. If the field name is "too long" and we prefer | 
|  | to introduce some kind of abbreviation of it, use the same abbreviation | 
|  | everywhere in the code. | 
|  |  | 
|  | Example 1: #define CLIENT_HELLO_RANDOM_LEN 32, macro for the length of the | 
|  | `random` field of the ClientHello message. | 
|  |  | 
|  | Example 2 (consistent abbreviation): `mbedtls_ssl_tls13_write_sig_alg_ext()` | 
|  | and `MBEDTLS_TLS_EXT_SIG_ALG`, `sig_alg` standing for | 
|  | `signature_algorithms`. | 
|  |  | 
|  | - Regarding vectors that are represented by a length followed by their value | 
|  | in the data exchanged between servers and clients: | 
|  |  | 
|  | - Use `<vector name>_len` for the name of a variable used to compute the | 
|  | length in bytes of the vector, where <vector name> is the name of the | 
|  | vector as defined in the TLS 1.3 specification. | 
|  |  | 
|  | - Use `p_<vector_name>_len` for the name of a variable intended to hold | 
|  | the address of the first byte of the vector length. | 
|  |  | 
|  | - Use `<vector_name>` for the name of a variable intended to hold the | 
|  | address of the first byte of the vector value. | 
|  |  | 
|  | - Use `<vector_name>_end` for the name of a variable intended to hold | 
|  | the address of the first byte past the vector value. | 
|  |  | 
|  | Those idioms should lower the risk of mis-using one of the address in place | 
|  | of another one which could potentially lead to some nasty issues. | 
|  |  | 
|  | Example: `cipher_suites` vector of ClientHello in | 
|  | `ssl_tls13_write_client_hello_cipher_suites()` | 
|  | ``` | 
|  | size_t cipher_suites_len; | 
|  | unsigned char *p_cipher_suites_len; | 
|  | unsigned char *cipher_suites; | 
|  | ``` | 
|  |  | 
|  | - Where applicable, use: | 
|  | - the macros to extract a byte from a multi-byte integer MBEDTLS_BYTE_{0-8}. | 
|  | - the macros to write in memory in big-endian order a multi-byte integer | 
|  | MBEDTLS_PUT_UINT{8|16|32|64}_BE. | 
|  | - the macros to read from memory a multi-byte integer in big-endian order | 
|  | MBEDTLS_GET_UINT{8|16|32|64}_BE. | 
|  | - the macro to check for space when writing into an output buffer | 
|  | `MBEDTLS_SSL_CHK_BUF_PTR`. | 
|  | - the macro to check for data when reading from an input buffer | 
|  | `MBEDTLS_SSL_CHK_BUF_READ_PTR`. | 
|  |  | 
|  | The three first types, MBEDTLS_BYTE_{0-8}, MBEDTLS_PUT_UINT{8|16|32|64}_BE | 
|  | and MBEDTLS_GET_UINT{8|16|32|64}_BE improve the readability of the code and | 
|  | reduce the risk of writing or reading bytes in the wrong order. | 
|  |  | 
|  | The two last types, `MBEDTLS_SSL_CHK_BUF_PTR` and | 
|  | `MBEDTLS_SSL_CHK_BUF_READ_PTR`, improve the readability of the code and | 
|  | reduce the risk of error in the non-completely-trivial arithmetic to | 
|  | check that we do not write or read past the end of a data buffer. The | 
|  | usage of those macros combined with the following rule mitigate the risk | 
|  | to read/write past the end of a data buffer. | 
|  |  | 
|  | Examples: | 
|  | ``` | 
|  | hs_hdr[1] = MBEDTLS_BYTE_2( total_hs_len ); | 
|  | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0 ); | 
|  | MBEDTLS_SSL_CHK_BUF_PTR( p, end, 7 ); | 
|  | ``` | 
|  |  | 
|  | - To mitigate what happened here | 
|  | (https://github.com/Mbed-TLS/mbedtls/pull/4882#discussion_r701704527) from | 
|  | happening again, use always a local variable named `p` for the reading | 
|  | pointer in functions parsing TLS 1.3 data, and for the writing pointer in | 
|  | functions writing data into an output buffer and only that variable. The | 
|  | name `p` has been chosen as it was already widely used in TLS code. | 
|  |  | 
|  | - When an TLS 1.3 structure is written or read by a function or as part of | 
|  | a function, provide as documentation the definition of the structure as | 
|  | it is in the TLS 1.3 specification. | 
|  |  | 
|  | General coding rules: | 
|  |  | 
|  | - We prefer grouping "related statement lines" by not adding blank lines | 
|  | between them. | 
|  |  | 
|  | Example 1: | 
|  | ``` | 
|  | ret = ssl_tls13_write_client_hello_cipher_suites( ssl, buf, end, &output_len ); | 
|  | if( ret != 0 ) | 
|  | return( ret ); | 
|  | buf += output_len; | 
|  | ``` | 
|  |  | 
|  | Example 2: | 
|  | ``` | 
|  | MBEDTLS_SSL_CHK_BUF_PTR( cipher_suites_iter, end, 2 ); | 
|  | MBEDTLS_PUT_UINT16_BE( cipher_suite, cipher_suites_iter, 0 ); | 
|  | cipher_suites_iter += 2; | 
|  | ``` | 
|  |  | 
|  | - Use macros for constants that are used in different functions, different | 
|  | places in the code. When a constant is used only locally in a function | 
|  | (like the length in bytes of the vector lengths in functions reading and | 
|  | writing TLS handshake message) there is no need to define a macro for it. | 
|  |  | 
|  | Example: `#define CLIENT_HELLO_RANDOM_LEN 32` | 
|  |  | 
|  | - When declaring a pointer the dereferencing operator should be prepended to | 
|  | the pointer name not appended to the pointer type: | 
|  |  | 
|  | Example: `mbedtls_ssl_context *ssl;` | 
|  |  | 
|  | - Maximum line length is 80 characters. | 
|  |  | 
|  | Exceptions: | 
|  |  | 
|  | - string literals can extend beyond 80 characters as we do not want to | 
|  | split them to ease their search in the code base. | 
|  |  | 
|  | - A line can be more than 80 characters by a few characters if just looking | 
|  | at the 80 first characters is enough to fully understand the line. For | 
|  | example it is generally fine if some closure characters like ";" or ")" | 
|  | are beyond the 80 characters limit. | 
|  |  | 
|  | If a line becomes too long due to a refactoring (for example renaming a | 
|  | function to a longer name, or indenting a block more), avoid rewrapping | 
|  | lines in the same commit: it makes the review harder. Make one commit with | 
|  | the longer lines and another commit with just the rewrapping. | 
|  |  | 
|  | - When in successive lines, functions and macros parameters should be aligned | 
|  | vertically. | 
|  |  | 
|  | Example: | 
|  | ``` | 
|  | int mbedtls_ssl_start_handshake_msg( mbedtls_ssl_context *ssl, | 
|  | unsigned hs_type, | 
|  | unsigned char **buf, | 
|  | size_t *buf_len ); | 
|  | ``` | 
|  |  | 
|  | - When a function's parameters span several lines, group related parameters | 
|  | together if possible. | 
|  |  | 
|  | For example, prefer: | 
|  |  | 
|  | ``` | 
|  | mbedtls_ssl_start_handshake_msg( ssl, hs_type, | 
|  | buf, buf_len ); | 
|  | ``` | 
|  | over | 
|  | ``` | 
|  | mbedtls_ssl_start_handshake_msg( ssl, hs_type, buf, | 
|  | buf_len ); | 
|  | ``` | 
|  | even if it fits. | 
|  |  | 
|  |  | 
|  | Overview of handshake code organization | 
|  | --------------------------------------- | 
|  |  | 
|  | The TLS 1.3 handshake protocol is implemented as a state machine. The | 
|  | functions `mbedtls_ssl_tls13_handshake_{client,server}_step` are the top level | 
|  | functions of that implementation. They are implemented as a switch over all the | 
|  | possible states of the state machine. | 
|  |  | 
|  | Most of the states are either dedicated to the processing or writing of an | 
|  | handshake message. | 
|  |  | 
|  | The implementation does not go systematically through all states as this would | 
|  | result in too many checks of whether something needs to be done or not in a | 
|  | given state to be duplicated across several state handlers. For example, on | 
|  | client side, the states related to certificate parsing and validation are | 
|  | bypassed if the handshake is based on a pre-shared key and thus does not | 
|  | involve certificates. | 
|  |  | 
|  | On the contrary, the implementation goes systematically though some states | 
|  | even if they could be bypassed if it helps in minimizing when and where inbound | 
|  | and outbound keys are updated. The `MBEDTLS_SSL_CLIENT_CERTIFICATE` state on | 
|  | client side is a example of that. | 
|  |  | 
|  | The names of the handlers processing/writing an handshake message are | 
|  | prefixed with `(mbedtls_)ssl_tls13_{process,write}`. To ease the maintenance and | 
|  | reduce the risk of bugs, the code of the message processing and writing | 
|  | handlers is split into a sequence of stages. | 
|  |  | 
|  | The sending of data to the peer only occurs in `mbedtls_ssl_handshake_step` | 
|  | between the calls to the handlers and as a consequence handlers do not have to | 
|  | care about the MBEDTLS_ERR_SSL_WANT_WRITE error code. Furthermore, all pending | 
|  | data are flushed before to call the next handler. That way, handlers do not | 
|  | have to worry about pending data when changing outbound keys. | 
|  |  | 
|  | ### Message processing handlers | 
|  | For message processing handlers, the stages are: | 
|  |  | 
|  | * coordination stage: check if the state should be bypassed. This stage is | 
|  | optional. The check is either purely based on the reading of the value of some | 
|  | fields of the SSL context or based on the reading of the type of the next | 
|  | message. The latter occurs when it is not known what the next handshake message | 
|  | will be, an example of that on client side being if we are going to receive a | 
|  | CertificateRequest message or not. The intent is, apart from the next record | 
|  | reading to not modify the SSL context as this stage may be repeated if the | 
|  | next handshake message has not been received yet. | 
|  |  | 
|  | * fetching stage: at this stage we are sure of the type of the handshake | 
|  | message we must receive next and we try to fetch it. If we did not go through | 
|  | a coordination stage involving the next record type reading, the next | 
|  | handshake message may not have been received yet, the handler returns with | 
|  | `MBEDTLS_ERR_SSL_WANT_READ` without changing the current state and it will be | 
|  | called again later. | 
|  |  | 
|  | * pre-processing stage: prepare the SSL context for the message parsing. This | 
|  | stage is optional. Any processing that must be done before the parsing of the | 
|  | message or that can be done to simplify the parsing code. Some simple and | 
|  | partial parsing of the handshake message may append at that stage like in the | 
|  | ServerHello message pre-processing. | 
|  |  | 
|  | * parsing stage: parse the message and restrict as much as possible any | 
|  | update of the SSL context. The idea of the pre-processing/parsing/post-processing | 
|  | organization is to concentrate solely on the parsing in the parsing function to | 
|  | reduce the size of its code and to simplify it. | 
|  |  | 
|  | * post-processing stage: following the parsing, further update of the SSL | 
|  | context to prepare for the next incoming and outgoing messages. This stage is | 
|  | optional. For example, secret and key computations occur at this stage, as well | 
|  | as handshake messages checksum update. | 
|  |  | 
|  | * state change: the state change is done in the main state handler to ease the | 
|  | navigation of the state machine transitions. | 
|  |  | 
|  |  | 
|  | ### Message writing handlers | 
|  | For message writing handlers, the stages are: | 
|  |  | 
|  | * coordination stage: check if the state should be bypassed. This stage is | 
|  | optional. The check is based on the value of some fields of the SSL context. | 
|  |  | 
|  | * preparation stage: prepare for the message writing. This stage is optional. | 
|  | Any processing that must be done before the writing of the message or that can | 
|  | be done to simplify the writing code. | 
|  |  | 
|  | * writing stage: write the message and restrict as much as possible any update | 
|  | of the SSL context. The idea of the preparation/writing/finalization | 
|  | organization is to concentrate solely on the writing in the writing function to | 
|  | reduce the size of its code and simplify it. | 
|  |  | 
|  | * finalization stage: following the writing, further update of the SSL | 
|  | context to prepare for the next incoming and outgoing messages. This stage is | 
|  | optional. For example, handshake secret and key computation occur at that | 
|  | stage (ServerHello writing finalization), switching to handshake keys for | 
|  | outbound message on server side as well. | 
|  |  | 
|  | * state change: the state change is done in the main state handler to ease | 
|  | the navigation of the state machine transitions. |